Open Bug 1591071 Opened 4 years ago Updated 6 months ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/vr/VRServiceTest.cpp in mozilla::dom::VRMockController::SetAxisValue(unsigned int, double)

Categories

(Core :: WebVR, defect, P3)

Product:
Core
Component:
WebVR
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox72 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.html
358 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev ba30626ccb8c.

==30083==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000028e0 (pc 0x7fdc93d17d49 bp 0x7ffce85d7b70 sp 0x7ffce85d7b70 T0)
==30083==The signal is caused by a WRITE memory access.
    #0 0x7fdc93d17d48 in mozilla::dom::VRMockController::SetAxisValue(unsigned int, double) /builds/worker/workspace/build/src/dom/vr/VRServiceTest.cpp
    #1 0x7fdc9099037b in mozilla::dom::VRMockController_Binding::setAxisValue(JSContext*, JS::Handle<JSObject*>, mozilla::dom::VRMockController*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/VRServiceTestBinding.cpp:934:24
    #2 0x7fdc9186e30c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3198:13
    #3 0x7fdc983b7649 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:458:13
    #4 0x7fdc983b7649 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:550:12
    #5 0x7fdc983a0194 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:623:10
    #6 0x7fdc983a0194 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3112:16
    #7 0x7fdc9838207a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
    #8 0x7fdc983b814e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:591:13
    #9 0x7fdc983ba459 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:636:8
    #10 0x7fdc98580a13 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.h:103:10
    #11 0x7fdc98580a13 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1698:10
    #12 0x7fdc983b7649 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:458:13
    #13 0x7fdc983b7649 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:550:12
    #14 0x7fdc983ba459 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:636:8
    #15 0x7fdc9861440c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2722:10
    #16 0x7fdc8feca386 in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PromiseBinding.cpp:26:8
    #17 0x7fdc8ac6d487 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:91:12
    #18 0x7fdc8ac6d487 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:104:12
    #19 0x7fdc8ac6d487 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:245:18
    #20 0x7fdc8ac47851 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:666:17
    #21 0x7fdc8ac4850f in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:495:3
    #22 0x7fdc8d1e0e6d in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:1326:28
    #23 0x7fdc8ae43cb8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1283:24
    #24 0x7fdc8ae49c01 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #25 0x7fdc8c0a23cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #26 0x7fdc8bf9b5f2 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #27 0x7fdc8bf9b5f2 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #28 0x7fdc8bf9b5f2 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #29 0x7fdc9423d1e8 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #30 0x7fdc9810c326 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #31 0x7fdc8bf9b5f2 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #32 0x7fdc8bf9b5f2 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #33 0x7fdc8bf9b5f2 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #34 0x7fdc9810bbe5 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #35 0x55b4beeb1db0 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #36 0x55b4beeb1db0 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272:18
    #37 0x7fdcadde5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/vr/VRServiceTest.cpp in mozilla::dom::VRMockController::SetAxisValue(unsigned int, double)
Flags: in-testsuite?

The priority flag is not set for this bug.
:kip, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(kgilbert)
Flags: needinfo?(kgilbert)
Priority: -- → P3
Severity: normal normal → S3 S3
You need to log in before you can comment on or make changes to this bug.